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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Whdt is personal data. It is very common for access requests to be made in the context of the 
employment relationship and it would be helpful for further guidance and examples of what constitutes 
personal data in this context. There are some areas in the guidance that appear contradictory and it 
would be helpful to have some clarity. 


For example, take the example of an email between colleagues setting out details relating to a project 
they are working on. Perhaps this is an order for machinery or discussion on how the project is going 
generally. The ICO guidance suggests that information which could be used to 
learn/decide/influence something about the individual will be personal data even if it is not its primary 
purpose. This would, arguably, result in all work emails (including the example above) being personal 
data from the outset as, whilst they are primarily used to facilitate communication and for the 
performance of duties, they could be used to learn/decide something at some stage e.g. to 
investigate performance/conduct concerns if issues are raised with the data subject's 
actions/performance. However, the ICO guidance then gives an example involving legal advice 
stating that, when given, this would not be the personal data of the lawyer but that it would become 
personal data if the lawyer's performance was criticised and the letter was used to investigate this. This 
suggests that documents may not be personal data at the outset just because they 'could' be used to 
learn something and that they will only become personal data when they are so used. It would be 
helpful to have clarity here as clearly the former approach could result in all work emails being personal 
data even where the focus of the emails is not on the individual themselves but on work they are 
involved with. This would result in organisations having to sort through huge volumes of data and would 
also result in a data subject receiving a lot of personal data that they have no interest in. 


Extension of time for response . It would be helpful to have further guidance on what is meant by 
complex. For example, in the employment context access requests can be enormous, spanning 
thousands of documents over decades of employment. Most of this personal data is found in emails 
which always contain third party data. Therefore, it often takes a substantial amount of time to 
retrieve, review, redact and send the personal data. Would this redacting of third party data fall into 
the point "Applying an exemption that involves large volumes of particularly sensitive data"? Sensitive 
data is not defined. If a company goes to a third party/lawyer for redactions and assistance would this 
fall within the last point "Any specialist work involved in redacting information or communicating it in an 
intelligible form” or would this only apply where data is sent off to a specialist due to technical issues (for 
example where CCTV has to be redacted before it can be sent)? Is there any guidance available for 
companies who process such a large volume of data that they are unable to retrieve, review, redact 
and send this as necessary within the one month deadline? It is common for data subjects to refuse to 
provide information to help focus their requests and many insist on all their personal data, as they are 
entitled to do. Therefore, guidance here is needed. 


Manifestly unfounded or excessive. There is still little guidance on what this means and some of the 
examples given are unlikely to arise in practice. For example, data subjects may well make malicious 
requests, but it is rare they would admit this in their request. Often, data subjects will make a request as 
a pre-cursor to a legal claim and offer to drop this if settlement can be reached and thus the intention 
is to put pressure on the employer and encourage it to settle (as the employee is aware of the 
administrative burden on the employer here). Correspondence in this regard is usually 'without 
prejudice’ and so cannot be referenced. Is an employer able to refuse to comply with such an access 
request in these circumstances? Is there any guidance to deal with this situation as it is a very common? 


Q2 Does the draft guidance contain the right level of detail? 


Yes 


xX No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


See Q1 above. Access requests are now increasingly common in the employment context 
and it would be useful to have more specific practical examples to assist organisations in 
complying with their obligations. 


Q3 Does the draft guidance contain enough examples? 


Yes 
xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


See Q1 and 2 above. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


See Q1 point above. 


Q5 On a scale of 1-5 how useful is the draft guidance? 
1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 
Q6 Why have you given this score? 


Q7 


Q8 


It is useful to have all the guidance pulled into one document and to have more examples 
to work with. However, many of the examples provided are straightforward and it would 
be helpful to tackle some of the trickier areas. This is particularly so in the employment 
context. It would be helpful to have more practical examples. It would be really helpful, 
for example, to have examples of emails/documents with the ICO showing what they feel 
constitutes personal data within these and how they would redact them to remove third 
party data. Examples specific to employment would be really helpful, particularly those 
involving more generic work emails. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O X 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


The guidance is easy to read and follow but there are parts that require further 
clarification, as set out above, and more practical examples to allow organisations to 
understand how the law works in practice. As the guidance recognises that most 
organisations will find it easier to send copies of documents it would be useful to have a 
few case-study examples showing various documents and identifying what information 


would be classed as personal data and how the documents should be redacted to ensure 
only the subject’s personal data is revealed. A focus on emails would be preferable given 
how common they are to all organisations. It would be extremely useful to have a case 
study set in an employment context. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

X An individual acting in a professional capacity 

O On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Clarkslegal LLP 


What sector are you from: 


Employment 


Q10 How did you find out about this survey? 


O ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


("El ELE da El) Er ð 


Thank you for taking the time to complete the survey. 


